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Amendments to the Claims : 

This listing of claims will replace all prior versions and listings of claims in the 
application. 

Claims 1-10 (Cancelled) 

1 1 . (Currently Amended) A method for controlling access by a requestor f?)-to 
resources (3d)-in a distributed computer system ft)-comprising defining conditions for 
obtaining a right to a resource-{34), assigning to the requester f?)-at least one role based on an 
access control list, defining a part of a set of resources (3d)-that is accessible by a given role 
by a validity domain, and utilizing the validity domain of the given role to restrict the 
resources accessible for the given role to only part of the resources , the role overlaying one or 
more privileges and capable of being assigned to a plurality of requestors , 

12. (Previously Presented) A method according to claim 11, fiirther comprising 
storing an additional piece of information relative to the need to consult the validity domain 
of the role in the access control list. 

13. (Previously Presented) A method according to claim 12, fiirther comprising 
consulting the additional information relative to the need to consult the validity domain of the 
role and verifying that the resource in question belongs to the validity domain only if required 
by said information. 

14. (Currently Amended) A method according to claim 12, fiirther comprising 
performing an access check on two levels: 

[[■]] a first-level check on the type of the resource-(34); and 
[[•]] a second-level check on the identifier of the resource-(2d). 



15. (Previously Presented) A method according to claim 14, wherein the first- 
level check verifies the existence of at least one entry of the access control list that satisfies 
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conditions for obtaining a requested right of entry, and, if the right of entry exists, the 
existence of a validity domain for said entry. 

16. (Previously Presented) A method according to claim 15, wherein the second- 
level check verifies, if a requested permission for right of entry contains a resource identifier, 
the existence of at least one configured permission corresponding to the requested permission 
and the value of the additional information relative to the need to consult the validity domain. 

17. (Previously Presented) A method according to claim 1 1, fiirther comprising 
grouping rights or resources into generic groups represented by special characters or 
keywords or other symbols. 

18. (Previously Presented) A method according to claim 12, fiirther comprising 
grouping rights or resources into generic groups represented by special characters or 
keywords or other symbols. 

19. (Previously Presented) A method according to claim 13, fiirther comprising 
grouping rights or resources into generic groups represented by special characters or 
keywords or other symbols. 

20. (Previously Presented) A method according to claim 14, fiirther comprising 
grouping rights or resources into generic groups represented by special characters or 
keywords or other symbols. 

2 1 . (Previously Presented) A method according to claim 1 5, fiirther comprising 
grouping rights or resources into generic groups represented by special characters or 
keywords or other symbols. 

22. (Currently Amended) A device for controlling access by a requestor f?)-to 
interrogated resources (2d)-in a distributed computer system-fl^, comprising at least one 
management machine (2a) (2b) (2g) (2d) organized into one or more networks-^?), said 
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machine having at least one calling entity-(4), for designating actions executed by the 
requestor-(7), an application program interface (f)-for transmitting interrogations from the 
calling entity, an access control service (^for receiving said interrogations and controlling 
access of the requestors f?>-to the interrogated resources-f3d), storage means (10) (12) for 
storing roles, access control lists and validity domains and means (0) (11) (13) for accessing 
the storage means wherein the roles overlay one or more privileges and are capable of being 
assigned to one or more requestors . 

23. (Currently Amended) A device for controlling access by a requestor (7)-to 
interrogated resources (2d) in a distributed computer system-fi), according to claim 22, 
further comprising means for defining conditions for obtaining a right to a resource, means 
for assigning to the requestor at least one role based on an access control list, and means for 
restricting the resources accessible for a given role to only part of the resources by means of a 
validity domain of the role. 

24. (Currently Amended) A device for controlling access by a requestor f?)-to 
interrogated resources {3d)-in a computer system-(4), according to claim 23, wherein the 
means for storing stores an additional piece of information relative to the need to consult the 
validity domain of the role in the access control list. 

25. (Currently Amended) A device for controlling access by a requestor (^to 
interrogated resources (2d) in a computer system-(4^, according to claim 24, further 
comprising means for consulting the additional information relative to the need to consult the 
validity domain of the role and verifying that the resource in question belongs to the validity 
domain only if required by said information. 

26. (Currently Amended) A device for controlling access by a requestor f?}-to 
interrogated resources (2d) in a computer system-(4), according to claim 25, further 
comprising means for performing an access check on two levels: 

[[■]] a first-level check on the type of the resource-(;2d); and 
[[■]] a second-level check on the identifier of the resource-(3d). 
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27. (Currently Amended) A device for controlling access by a requestor f?)-to 
interrogated resources (3d>-in a computer system-fi), according to claim 26, wherein a-the 
first-level check verifies the existence of at least one entry of the access control list that 
satisfies conditions for obtaining a requested right of entry to a resource, and, if the entry 
exists, the existence of a validity domain for said entry. 

28. (Currently Amended) A device for controlling access by a requestor (7)-to 
interrogated resources (24)-in a computer system-^, according to claim 27, wherein a-the 
second-level check verifies if a requested right of entry to a resource contains a resource 
identifier, the existence of at least one configured permission corresponding to the requested 
right of entry and the value of additional information relative to the need to consult the 
validity domain. 

29. (Currently Amended) A software module for controlling access by a requestor 
(7)-to resources (2d) of a computer system comprising means for defining conditions for 
obtaining a right of entry to a resource^(24), means for assigning to the requestor at least one 
role based on an access control list, means for defining a part of a set of resources (2d) that is 
accessible by a given role by a validity domain, and means for utilizing the validity domain 
of the given role to restrict the resources accessible for a -the g iven role to only part of the 
resources by means of a validity domain , wherein the role overlays one or more privileges 
and is capable of being assigned to a plurality of requestors . 

30. (Previously Presented) A software module for controlling access to resources 
according to claim 29, fiirther comprising means for storing an additional piece of 
information relative to a need to consult the validity domain of the role in the access control 
Ust. 



3 1 . (Previously Presented) A software module for controUing access to resources 
according to claim 30, fiirther comprising means for consulting the additional information 
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relative to the need to consult the validity domain of the role and verifying that the resource 
in question belongs to the validity domain only if required by said information. 

32. (Currently Amended) A software module for controlling access to resources 
according to claim 31, fiirther comprising means for performing an access check on two 
levels: 

[[■]] a first-level check on the type of the resource-(3d); and 
[[■]] a second-level check on the identifier of the resource-(3d). 

33. (Currently Amended) A software module for controlling access to resources 
according to claim 32^ wherein the first-level check verifies the existence of at least one entry 
of the access control Ust that satisfies conditions for obtaining the requested right of entry, 
and, if the entry exists, the existence of a validity domain for said entry. 

34. (Currently Amended) A software module for controlling access to resources 
according to claim 33^ wherein the second-level check verifies, if the requested permission 
contains a resource identifier, the existence of at least one configured permission 
corresponding to the requested right of entry and the value of additional information relative 
to the need to consult the validity domain. 
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